Static Analysis of Active XML Systems

Transcription

1 Static Analysis of Active ML Systems Serge Abiteboul INRIA-Saclay & U. Paris Sud, France Luc Segoufin INRIA & LSV - ENS Cachan, France Victor Vianu U.C. San Diego, USA Abstract Active ML is a high-level specification language tailored to data-intensive, distributed, dynamic Web services. Active ML is based on ML documents with embedded function calls. The state of a document evolves depending on the result of internal function calls (local computations) or external ones (interactions with users or other services). Function calls return documents that may be active, so may activate new subtasks. The focus of the paper is on the verification of temporal properties of runs of Active ML systems, specified in a tree-pattern based temporal logic, Tree-LTL, that allows expressing a rich class of semantic properties of the application. The main results establish the boundary of decidability and the complexity of automatic verification of Tree-LTL properties. 1 Introduction Data-intensive, distributed, dynamic applications are pervasive on today s Web. The reliability of such applications is often critical, but their logical complexity makes them vulnerable to potentially costly bugs. Classical automatic verification techniques operate on finite-state abstractions that ignore the critical semantics associated with data in such applications. The need to take into account data semantics has spurred interest in studying static analysis tasks in which data is explicitly present (see related work). In this paper, we make a contribution in this direction by investigating automatic verification in a model tightly integrating the ML and Web service paradigms. Specifically, we consider Active ML, a high-level specification language tailored to data-intensive Web applications, and Tree-LTL, a tree-based temporal logic that can express a rich class of temporal properties of such applications. We establish the boundary of decidability and the complexity of automatic verification in this setting. In particular, we isolate an important fragment of Active ML (sufficient to describe a large class of applications) for which the verification of temporal properties is decidable. Active ML documents [2, 4] (AML for short) are ML documents [25] with embedded function calls realized as Web service calls [26]. In the spirit of [20, 23], a document is seen as a process that evolves in time. A function call is seen as a request to carry out a subtask whose result may lead to a change of state in the document. An Active ML system specifies a set of interacting AML documents. Our goal is to analyze the behavior of such systems, which is especially challenging because the presence of data induces infinitely many states. To illustrate the kind of applications we target, consider a mail order processing system. The arrival of a new order corresponds to the initiation of a new task. At each moment, the system is running a possibly large number of orders, initiated by different users. Processing each order may involve various sub-tasks. Work supported by the Agence Nationale de la Recherche under grant Docflow, 06-MDCA-005. Work supported in part by the National Science Foundation under grant number IIS

2 For instance, a credit check may be requested from a credit service, and its outcome determines how the order proceeds. In our approach, the entire mail order system, as well as each individual order, are seen as AML documents that evolve in time. Our goal is to analyze the behavior of AML systems, and in particular to verify temporal properties of their runs. For instance, one may want to verify whether some static property (e.g., all ordered products are available) and some dynamic property (e.g. an order is never delivered before payment is received) always hold. The language Tree-LTL allows to express a rich class of such properties. A main contribution of the paper is to carefully design an appropriate restriction of AML that is expressive enough to describe meaningful applications, and can also serve as a convenient formal vehicle for studying decidability and complexity boundaries for verification in the model. This has lead to Guarded AML, that we briefly describe next. In Guarded AML (GAML for short), document trees are unordered. With ordered trees, verification quickly becomes intractable. GAML distinguishes between internal and external services. An internal service is a service that is completely specified, i.e., its precise semantics is known. External services capture interactions with other services and with users. For these, only partial information on their input and output types is available. Finally, the most novel feature of the model in the AML context is a guard mechanism for controlling the initiation and completion of subtasks (formally function calls). Guards are Boolean combinations of tree patterns. They facilitate specifying applications driven by complex workflows and, more generally, they provide a very useful programming paradigm for active documents. An AML system consists of AML documents running on different peers and interacting between them and with the external world. To simplify the presentation, we consider here single-peer systems. We will mention how the model can be extended to multipeer systems and how our results can be applied to this larger setting, that actually motivated this work. Our main results establish the boundary of decidability of satisfaction of Tree-LTL properties by GAML systems. We obtain decidability by disallowing recursion in GAML systems, which leads to a bound on the number of function calls in runs. We prove that for such recursion-free GAML, the satisfaction of Tree- LTL formulas is CO-2NEPTIME-complete. We also consider various relaxations of the non-recursiveness restriction and show that they each lead to undecidability. This establishes a fairly tight boundary of decidability of verification. At the same time, we show that certain limited but useful verification tasks remain decidable even with recursion. For instance, we provide a decidable sufficient condition for safety with respect to a Boolean combination of tree patterns. We also show that it is decidable whether a state satisfying a Boolean combination of tree patterns can be reached within a specified number of steps in a run. Related work Most of previous works on static analysis on ML (with data values) deal with documents that do not evolve in time. Typically, they consider the consistency problem for ML specifications using DTDs and (foreign) key constraints [7, 8], the query containment problem [5] or the type checking problem [9]. This motivated studies of automata and logics on strings and trees over infinite alphabets [22, 13, 10]. See [24] for a survey on related issues. Previous works also considered the evolution of documents. For instance, static analysis was considered in [1] for a restricted monotone AML language, positive AML. Their setting is very different from ours as their systems are monotone. In contrast, we consider a broader verification task for non-monotone systems. Verification of temporal properties of Web services has mostly been considered using models abstracting away data values (see [19] for a survey). Verification of data-intensive Web services is studied in [14, 16], and a verifier implemented [15]. As in our case, this work takes into account data and establishes the boundary of decidability and complexity of verification for a restricted class of services and properties expressed in a temporal logic. While this is related in spirit to the present work, the technical differences 2

3 stemming from the AML setting render the two investigations incomparable. The related work that is perhaps closest to this paper is [18], where a tree pattern rewriting systems is introduced to model the evolution of dynamic ML documents. The rewriting system may be recursive, but ML documents have no data values in their model. The main result is that reachability of a tree satisfying a specified pattern is decidable under certain conditions. This is orthogonal to our results, because of the absence of data values. Organization After presenting in Section 2 the GAML model and the language Tree-LTL, we present in Section 3 the decidability and complexity results for recursion-free GAML services. Relaxations of non-recursiveness are considered in Section 4, and shown to lead to undecidability. The decidability results on safety and bounded reachability are also presented in Section 4. Finally, extensions of our model and decidability results to compositions of GAML systems are presented in Section 5. The paper concludes with a brief discussion. 2 The GAML model We formalize in this section the GAML model. To simplify the presentation, we consider a system with a single peer (we revisit this issue in Section 5). To illustrate our definitions, we use fragments of a Mail Order GAML processing system, detailed in the appendix. In this paper, trees are unranked and unordered. A forest is a set of trees. The notions of node, child, descendant, ancestor, and parent relations between nodes are defined in the usual way. A subtree of a tree T is the tree induced by T on the set of all descendants of a particular node. We assume given the following disjoint infinite sets: nodes N (denoted x,y), tags Σ (denoted a,b,c,...), function symbols F, data values D (denoted α,β,...), data variables V (denoted,, Z,...), possibly with subscripts. We also use two sets of marked function symbols, F! = {!f f F} and F? = {?f f F}. Intuitively,!f labels a node where a call to function f can be made (possible call), and?f labels a node where a call to f has been made, but whose result has not yet been returned (running call). We denote by F?! the union F! F?. Main Catalog!Mailorder MailOrder Product Product Product Order-Id Cname!Bill!Deliver!Reject Price Price Price Serge Nikon Canon 120 Nikon 199 Sony 175 Figure 1: A GAML document. A Guarded AML (GAML) document is a tree whose internal nodes are labeled with tags in Σ and whose leaves are labeled by either tags, marked function symbols, or data values. A GAML forest is a set of GAML trees. An example of GAML document is given in Figure 1 (see Appendix for the full specification of the Mail Order example). To avoid repetitions of isomorphic sibling subtrees, we define the notion of reduced tree. Two trees T 1 and T 2 are isomorphic iff there exists a bijection from the nodes of T 1 to the nodes of T 2 that preserves the edge relation and the labeling of nodes. A tree is reduced if it contains no isomorphic sibling subtrees. Clearly, each tree T can be reduced by eliminating duplicate isomorphic subtrees, and the result is unique 3

4 up to isomorphism. We henceforth assume that all trees considered are reduced, unless stated otherwise. However, forests may generally contain multiple isomorphic trees. Patterns We use patterns as the building blocks for guards controlling the activation of function calls and as a basis for our query language. Patterns are constructed from tree patterns that we define first. A tree pattern is a tree whose edges and nodes are labeled. An edge label indicates a child (/) or descendant (//) relationship. A node label either restricts the label of the node or is a variable denoting a data value. A constraint consisting of a Boolean combination of (in)equalities between the variables and/or data constants may also be given. Formally, a tree pattern p is a tuple (M,G,λ M,λ G ), where: (M,G) is a finite tree with M N, λ M : M Σ F?! D V { } is a node labeling function such that λ M (x) Σ { } for every internal node x, λ G : G {/,//}. Let p be a tree pattern and T a tree. A matching of p into T is a mapping µ from the nodes of p to the nodes of T such that: (i) the root of p is mapped to the root of T, (ii) µ interprets / as child and // as descendant, (iii) µ preserves the labels in Σ F?! D, (iv) nodes in p labeled with variables are mapped to nodes in T labeled with data values, and (v) if two nodes x,x are labeled with the same variable, the nodes µ(x),µ(x ) must be labeled with the same data value. If µ maps a node x labeled with some variable to some node labeled with some data value α, we say by extension that µ() = α. Note that this is well defined because of (v). Observe that nodes labeled with are unrestricted, so acts as a wildcard. A pattern P is a pair ({p 1,...,p n }, cond), where each p i is a tree pattern and cond is a Boolean combination of expressions = α or α, where V and α V D. In particular cond could include joins of the form =. A matching of P = ({p 1,...,p n }, cond) into a forest F is a mapping µ that is a matching of each p i into some tree of F, and for which cond is satisfied. More precisely, if = α is in cond, then µ() = α if α D and µ() = µ(α) if α V. And similarly, for α. An example is given in Figure 2 (a). The pattern shown there expresses the fact that the value Order-Id is not a key. It does not hold on the GAML document of Figure 1. (Indeed, we want Order-Id to be a key.) We say that a pattern P holds in a forest F iff there exists at least one matching of P into F. We then say that P(F) is true, otherwise it is false. This definition extends to Boolean combination of patterns by replacing each pattern P by P(F). In particular this means that the patterns are matched independently of each other: If a variable occurs in two different patterns P and P of the Boolean combination, then it is treated as quantified existentially in P and independently quantified in P. In some guards and queries, we use patterns that are evaluated relative to a specified node in the tree. More precisely, a relative pattern is a pair (P, self ) where P is a pattern and self is a node of P. A relative pattern (P, self ) is evaluated on a pair (F,x) where F is a forest and x is a node of F. Such a pattern forces the node self in the pattern to be mapped to x. Figure 2 (b) provides an example of relative pattern. The pattern shown there checks that a product that has been ordered occurs in the catalog. It holds in the GAML document of Figure 1 when evaluated at the unique node labeled!bill. We also consider Boolean combinations of (relative) patterns. The (relative) patterns are matched independently of each other and the Boolean operators have their standard meaning. Queries As previously mentioned, patterns are also used in queries, as shown next. A query is defined by pairs of patterns, a Body and a Head. When evaluated on a forest, the matchings of Body define a set of 4

5 Main (a) Main (b) MailOrder MailOrder Product MailOrder Order-Id Cname Order-Id Cname self Z or Z Z Z Figure 2: Two patterns valuations of its variables. The Head pattern then specifies how to construct the result from these valuations. A particular node ( constructor node below) specifies a form of nesting. More formally, a query is an expression Body Head, where Body is a pattern and Head is a forest such that, for each tree H of Head, its internal nodes have labels in Σ and its leaves have labels in Σ F! V; there is no repeated variable in H and each variable occurring in it also occurs in Body; and there is one designated node c in H called the constructor node, such that the subtree rooted at c contains all variables in H. In graphical representations, this constructor node is marked with set parenthesis. (In absence of variables in H, the constructor may be omitted). As for patterns, we consider queries evaluated relative to a specified node in the input tree. A relative query is defined like a query, except that its body is a relative pattern (P, self ). An example of relative query is given in Figure 3. The label of the constructor node is Process-bill. Main Catalog MailOrder Product self Price {Process-bill} Amount!Invoice Figure 3: Example of a relative query Let F be a forest and Q = Body H a query with a single tree for head. Let M be the set of matchings of Body into F. Let c be the constructor node of H and H c the subtree of H rooted at c. For each matching µ M, let µ(h c ) be an isomorphic copy of H c with new nodes, in which every variable label occurring in H is first replaced by µ() and the tree is next reduced. Then the result Q(F) is the forest obtained by replacing c in H by the reduced forest {µ(h c ) µ M}. Note that if M = then c is simply removed. Observe also that, when c is not the root, Q(F) is a single-tree forest. When c is the root, the forest may have 0, 1 or more trees. Now consider a query Q = Body H 1,...,H n. Then Q(F) = Q i (F) where for each i, Q i = Body H i. A relative query is evaluated on a pair (F,x) where F is a forest and x is a node of F. The result Q(F,x) is defined as for queries, except that matchings of the body must map self to x. Remark 2.1 The constructor node provides explicit control over nesting of results. Note that this can be seen as syntactic sugaring in AML, since the same effect can be achieved using function calls. However, the explicit constructor node is convenient from a specification viewpoint. Observe also that one could consider nesting of constructor nodes, in the spirit of group-by operators. Such an extension, which for simplicity we do not consider here, would not affect our results. 5

6 Consider the evaluation of the relative query of Figure 3 on the GAML document of Figure 1 at the unique node labeled!bill. There is a unique matching of the Body pattern and the result is isomorphic to the Head tree of the query with replaced by Nikon and by 199 (with no parenthesis for Process-bill). DTD Trees used by a GAML system may be constrained using DTDs and tree pattern formulas. For DTDs, we use a typing mechanism that restricts, for each tag a, the labels of children that a-nodes may have. As our trees are unordered, the DTD constrains, for each node, the number of children with given labels. More precisely, a DTD is a triple (Σ 0,R, R), where Σ 0 is a finite subset of Σ, R Σ 0 is the set of allowed root labels, and R is a finite set of rules a ψ where a Σ 0 and ψ is a Boolean combination of inequalities of the form b k where b Σ 0 F?! {dom} and and k is a non-negative integer 1 (here, dom is a symbol that stands for any data value). A tree T satisfies a DTD (Σ 0,r, R) if all its tags are in Σ 0, its root has label in R, and for each rule a ψ, and each node labeled a, its children satisfy the condition ψ (details are omitted). If there is no rule in R for some a Σ 0, then all nodes labeled a must be leaves. A forest F satisfies a DTD if each tree in F satisfies it. Schema and instance A GAML schema S is a tuple (Φ int,φ ext, ) where Φ int is a finite set of internal function specifications. Φ ext is a finite set of external function specifications. provides static constraints on instances of the schema. It consists of a DTD and a Boolean combination of patterns (called data constraint). We next detail Φ int and Φ ext. For each f F, let a f be a new distinct label in Σ. Intuitively, a f will be the label of the root of a tree where a call to f will be evaluated. (This tree may be seen as work space for the evaluation of the function.) Each function of Φ int is specified as a tuple f, arg(f), kind(f),γ(f),ρ(f), ret(f) where: f F is the name of the function. arg(f) (the input query) is a (relative) query. Intuitively, its role is to define the argument of a call to f, which is also the initial state in the evaluation of f. If the query defining the argument is relative, self binds to the node at which the call!f is made. kind(f) {non-continuous, continuous}. If f is non continuous, a call to f is deleted once the answer is returned. If f is continuous, the call is kept after the answer is returned, so f can be called again. γ(f) (the call guard) is a Boolean combination of (relative) patterns. A call to f can only be made if γ(f) holds. (Observe that negative conditions are allowed.) ρ(f) (the return guard) is a Boolean combination of patterns rooted at a f. The result of a call to f can only be returned when the return guard is satisfied. ret(f) (the return query) is a query rooted at a f. By slight abuse, if Φ int contains the specification of a function with name f, we say that f is in Φ int. 1 For the purpose of complexity analysis, we take the size of b k to be k. This is commensurate with the classical specification of DTDs using regular expressions. 6

7 Example 2.2 We continue with our running example. The function Bill used in Figure 1 is specified as follows. It is internal and non-continuous. Its call guard is the pattern in Figure 2 (b). The argument query is the query in Figure 3. Assuming that Invoice is an external function eventually returning Payment (with product and amount paid), the return guard and return query of Bill are: {Paid} a Bill a Bill Payment Payment Amount Amount Return guard Return query Each function f in Φ ext is specified similarly, except that the return guard ρ(f) and the return query ret(f) are missing. Intuitively, an external call can return any answer at any time. Its answer is however constrained by. We next define the semantics of GAML schemas. An instance I over a GAML schema S = (Φ int,φ ext, ) is a pair (T, eval), where T is a GAML forest and eval an injective function over the set of nodes in T labeled with?f for some f Φ int such that: 1. For each x with label?f, eval(x) is a tree in T with root label a f. 2. Every tree in T with root label a f is eval(x) for some x labeled?f. An instance (T, eval) of S is valid if T satisfies. Runs Let I = (T, eval) and I = (T, eval ) be instances of a GAML schema S = (Φ int,φ ext, ). The instance I is a possible next instance of I, denoted I I, iff I is obtained from I in one of the following ways: External call: there exists some node x in T T, labeled!f for f Φ ext, such that γ(f)(t,x) holds, where γ(f) is the call guard of f; and I is obtained from I by changing the label of x to?f. Internal call: there exists some node x in T T, labeled!f for f Φ int, such that γ(f)(t,x) holds, where γ(f) is the call guard of f; and I is obtained from I by changing the label of x to?f and adding to the graph of eval the pair (x,t ), where T is a tree consisting of a root a f connected to the forest that is the result of evaluating the argument query arg(f) on input (T,x). (All nodes occurring in T are new.) Return of internal call: there is some node x labeled?f in some tree of T, where f Φ int, such that T = eval(x) contains no running call labels?g and the return guard of f is true on T. Then I is obtained from I as follows: evaluate the return query ret(f) on T and add the resulting forest as a sibling of the node x; remove eval(x) from T and x from the domain of eval; if f is non-continuous remove the node x, otherwise change x s label to!f. Return of external call: there exists some node x labeled?f in some tree of T, for f Φ ext. Then I is obtained as for the return of internal calls, except that (i) there is no corresponding running computation to 7

8 remove from eval and (ii) the result (a forest with labels in Σ F! D appended as a sibling to x) is chosen arbitrarily. (Observe that constraints on the results of external calls can be imposed by.) Figure 4 shows a possible next instance for the instance of Figure 1 after an internal call has been made to!bill. Recall the specification of Bill from Example 2.2. The call was enabled as the guard of!bill is true on the instance of Figure 1 (see Figure 2). As!Bill is an internal call, the subtree a Bill contains the result of the argument query of!bill (see Figure 3). The dotted arrow indicates the function eval. Main a Bill Catalog!Mailorder MailOrder Process-bill Order-Id Cname?Bill!Deliver!Reject Amount!Invoice Serge Nikon Nikon 199 Figure 4: An instance with an eval link An initial instance of S is an instance of S consisting of a single tree whose root is not a function call and that contains no running call. An instance I is blocking if there is no instance I such that I I. A run of S is an infinite sequence I 0,I 1,...,I i,... of instances over S such that I 0 is an initial instance of S and for each i 0, either I i I i+1 or I i is blocking and I i+1 = I i. Note that, for uniformity, we force all runs to be infinite by repeating a blocking instance forever if it is reached. A run is valid if all of its instances satisfy. For a run ρ, we denote by adom(ρ) the set of data values occurring in ρ, which may be infinite due to external function calls. Temporal properties As mentioned in the introduction, we are interested in verifying certain properties of runs of a GAML systems. These may include generic desirable properties, such as always reaching a successful final instance (blocking and with no active function calls), as well as properties specific to the particular application, such as no product is delivered before it is paid in the right amount. To express such temporal properties of runs, we use patterns connected by Boolean and temporal operators. This yields the language Tree-LTL (and branching-time variants Tree-CTL or Tree-CTL ). More precisely, we use the auxiliary notion of QPattern (for quantified pattern). A QPattern is an expression P( ) where P is a pattern and is a subset of of its variables that are designated as free. All other variables are taken to be existentially quantified, locally to P (this could be made explicit by writing Ȳ (P), where Ȳ is the set of variables occurring in P and not.) The syntax of Tree-LTL formulas is defined by the following grammar: ϕ := QPattern ϕ ϕ ϕ ϕ ϕ ϕ U ϕ ϕ where U stands for until and for next, with the usual semantics, e.g. see [17]. Given a Tree-LTL formula ϕ, its free variables are the free variables of its patterns. A Tree-LTL sentence is an expression ψ = ϕ( ), where ϕ is a Tree-LTL formula and are the free variables of ϕ. (As previously mentioned, variables that are not free are existentially quantified locally to each pattern.) We refer to as the global variables of ψ (if is empty, we say that ψ has no global variables). Whenever convenient, we use as shorthand additional standard temporal operators expressible using and U, such as F (eventually) and G (always). We now turn to the semantics of Tree-LTL. Intuitively, a sentence ϕ( ) holds for a schema S iff ϕ( ) holds on every valid run of S with every interpretation of into the active domain of the run. More formally, consider first the case when ϕ has no free variables. Consider a run ρ of S. Satisfaction of a 8

9 pattern without free variables by an instance was defined previously. Therefore, patterns can be treated as propositions and we can use the standard semantics of LTL to define when ρ satisfies ϕ, denoted by ρ = ϕ. Consider now a Tree-LTL sentence σ = ϕ( ). For a run ρ of S, we say that ρ satisfies ϕ( ), and denote this by ρ = ϕ( ), if ρ satisfies ϕ(h( )) for each valuation h of into adom(ρ). We say that S satisfies σ, denoted S = σ, if every valid run of S satisfies σ. Two examples of Tree-LTL formulas are given next. Every mail order is eventually completed (delivered or rejected): [G( Main F( Main Main ))] MailOrder MailOrder MailOrder Order-Id Order-Id Delivered Order-Id Rejected Every product for which a correct amount has been paid is eventually delivered (note that the variable Z is implicitly existentially quantified in the left pattern): [G( Main F( Main ))] Catalog MailOrder MailOrder Product Paid Order-Id Order-Id Delivered Price Amount Z Z Figure 5: Some Tree-LTL formulas. The branching-time variants Tree-CTL ( ) are defined analogously. Not surprisingly, satisfaction of Tree-LTL sentences is undecidable for arbitrary GAML systems. To obtain positive results, we need to place drastic but natural restrictions on these systems. We present in the next section such restrictions and decidability results, and then show how even small relaxations yield undecidability. 3 Recursion-free GAML Most of our positive results are obtained under the assumption that AML services are recursion-free. This restriction essentially bounds the number of function calls in a run of the system. The external functions are clearly a source of difficulty for enforcing non-recursiveness syntactically, since an external function f may return some data with a call to some external function g, and g some data with a call to f. To circumvent this, we must assume some signature information on external functions. We do this by including in the specification of each external function f the set fun(f) of functions that are allowed to appear in the results of calls to f. The definition of valid run is modified so that this restriction is obeyed. For internal functions f and g, g is in fun(f) if!g occurs in the result of the argument or return query of f. (This can be checked syntactically by inspecting the head of the respective queries.) 9

10 To define non-recursiveness, we use the auxiliary notion of call graph that captures (syntactic) dependencies between function calls in the schema. Let S = (Φ int,φ ext, ) be a GAML schema. The call graph G of S is a directed graph whose nodes are Φ int Φ ext and for which there is an edge from f to g if g fun(f). Definition 3.1 Let S = (Φ int,φ ext, ) be a GAML schema. We say that S is recursion-free iff the following hold: (i) the DTD of is non-recursive, (ii) no function call!f occurs more than once in a tree satisfying the DTD of, (iii) no function of S is continuous, and (iv) the call graph of S is acyclic. Condition (i) is used because recursive DTDs dramatically complicate verification issues. For instance, the satisfisfiability of a Boolean combination of tree pattern queries in presence of recursive DTDs is undecidable [12]. As mentioned above, the definition of recursion-free schema is meant to enforce a static bound on the number of function calls made in a valid run. Recall that the initial instance of a run is a single tree. Because of (ii), it therefore includes a bounded number of function calls. Conditions (iii) and (iv) keep the number of service calls made in a run under control by prohibiting the immediate causes of recursion. Condition (ii) deals with another possible source of unbounded calls, the presence of an arbitrary number of them in answers to external function calls. Condition (ii) could be relaxed without loss by allowing a bounded number of calls to each function rather than a single one. Also, recall that an instance is a forest of trees (except for the initial one); and note that condition (ii) restricts each tree in an instance, but not the instance as a whole. Thus, a function call may appear in several different trees of the same instance. Note that, although runs of recursion-free GAML schemas reach a blocking instance after a bounded number of function calls, they remain infinite-state systems because of the presence of an unbounded number of data values. Thus, there is no straightforward reduction to finite-state model checking. The main result of the section is that satisfaction of a Tree-LTL sentence by a recursion-free GAML schema is CO-2NEPTIME-complete. We first provide the proof of the upper bound, then proceed with the lower bound. 3.1 Upper bound Let S = (Φ int,φ ext, ) be a recursion-free GAML schema and ϕ a Tree-LTL sentence of the form ψ( ). Clearly, S = ϕ iff there is no valid run of S that satisfies ψ( ). Let D be an arbitrary subset of D with as many elements as variables in. Clearly, the above is equivalent to the following: there is no valid run ρ of S with domain D D and no mapping h from to D such that ρ satisfies ξ = ψ(h( )), where ψ(h( )) is obtained from ψ by replacing, for each pattern in ψ for which is a free variable, the label by h( ) (note that the resulting ξ has no global variables). Thus, the question of whether S = ϕ is reduced to a satisfiability problem. Decidability is shown by proving a small model property. Let S be a recursion-free GAML schema. A pre-run of S is a finite prefix of a run ending in the first occurrence of its blocking instance. We say that a pre-run of S satisfies a Tree-LTL sentence ξ iff its infinite extension satisfies ξ. We show that if there is a valid run satisfying ϕ then there is a valid pre-run satisfying ϕ of size bounded by a function computable from S and ϕ. The decision procedure is then obtained by guessing a run of that size and checking that it 10

11 is indeed a valid run satisfying ϕ. The following proposition shows that this last step is decidable. Its proof uses standard Büchi automata techniques, after replacing each pattern in ξ by a suitable proposition. Proposition 3.2 Let S be a recursion-free GAML schema and ξ a Tree-LTL sentence with no global variables. Given a pre-run ρ = I 0,...I k of S, one can check whether ρ satisfies ξ using a non-deterministic algorithm in time O( ρ ξ ). Proof: Let P be the set of tree patterns used in ξ. For each m [0,k], let σ m be the truth assignment on P such that for each P in P, σ m (P) = 1 iff I m = P (note that the latter can be checked in time exponential in P ). Let A ξ be the Büchi automaton for the formula ξ where the tree patterns are replaced by distinct propositions (also denoted by P by slight abuse), and whose alphabet consists of the truth assignments for P. The standard construction of A ξ produces an automaton whose number of states is exponential in ξ. PSPACE algorithm assignment σ, definition of A ξ ) ρ = ξ iff A ξ accepts the infinite word σ 0,...,σ k,σ k,..., i.e. iff A ξ goes infinitely often through an accepting state. A simple pumping argument shows that this happens iff an accepting state can be reached twice from a state reached under input σ 0,...,σ k by reading again σ k at most 2 A ξ times. This yields the desired non-deterministic algorithm taking time O( ρ ξ ). It remains to show that if there is a valid run satisfying ϕ then there is a valid pre-run of small size. We do this in two steps. In the first step we show that the lenght of a valid pre-run satisfying ϕ can be assumed bounded by an exponential in the size of the schema. In the second step, we show that the size of each instance of the pre-run can also be bounded. The following proposition takes care of the first step and shows that if S is recursion-free, then each valid run of S reaches a blocking instance after a number of transitions that is exponential in the size of the schema. This is a consequence of the fact that without recursion, only finitely many calls to each function can be made. Proposition 3.3 Let S = (Φ int,φ ext, ) be a recursion-free GAML schema. There exists a non-negative integer k, exponential in Φ int Φ ext, such that all valid runs of S reach a blocking instance in at most k transitions. Proof: Let Φ = Φ int Φ ext and κ = Φ. Let G be the call graph of S. By (iv) in the definition of recursion-free schema, G is acyclic. Let G 0 be the set of functions f Φ with in-degree zero in G. The depth of a function f of Φ is the maximum distance between the node representing f in G and a node of G 0. We show by induction on i that a function f of depth i can be called at most (2 κ) i times. For i = 0 this is clear, since the function may be called only if it is present in the initial instance and, because S is recursionfree and the initial instance is a tree, it can only occur once in the initial instance. For arbitrary i, let G f be the set of parents of f in G. By induction, a function g of G f can be called at most (2 κ) i 1 times. Because S is recursion-free, one execution of g may produce at most two direct executions of f (one generated by the argument query, the other by the return query). Hence f is executed at most 2 G f (2 κ) i 1 (2 κ) i as G f κ. As the depth of G is bounded by κ, each function is eventually executed at most (2 κ) κ times, hence the bound on the length of the run. The next proposition is key to our decision algorithm. It shows that only runs with small instances need to be considered. This is the most difficult part of the proof and is achieved by carefully identifying a small set of nodes sufficient to witness satisfaction of the patterns needed for the run to be valid and satisfy ξ. Proposition 3.4 Let S be a recursion-free GAML schema and ξ a Tree-LTL sentence with no global variables. If there exists a valid pre-run of S satisfying ξ, then there exists a valid pre-run of the same length satisfying ξ, such that each of its instances has size doubly exponential in ξ and S. 11

12 Proof: The main idea of the proof is as follows. Let I 0,...,I k be a valid pre-run of S satisfying ξ. We construct another valid pre-run R 0,...,R k such that for each m [0,k], R m is a sub-instance of I m whose size can be statically bounded, and R m and I m satisfy exactly the same patterns used in ξ. The idea is to make sure that each R m contains witnesses for all patterns in ξ satisfied by I m, and also that it can mimic the transitions in the original run by keeping the skeleton of I m (all paths from roots to nodes labeled with function symbols?f or tags a f ) and also witnesses required to make the appropriate guards true. Satisfaction of the DTD must also be ensured, which requires additional witnesses. The construction is done in two passes: first, the needed witnesses are collected starting from I k and backward to I 0. Then, the actual pre-run R 0,...,R k is generated starting from the sub-instance of I 0 containing the collected witnesses, by mimicking the transitions in the original run. In order to establish Proposition 3.4 we first show several lemmas. Note that, for the proof, can be assumed to consist only of a DTD, since the data constraints can be absorbed into the property ϕ to be verified. We use the following terminology. Let I = (T, eval) be an instance of S = (Φ int,φ ext, ). A subinstance of I is an instance J = (T, eval ) of S such that (i) each tree T in T is a prefix 2 of some tree T in T, (ii) T includes all nodes in T labeled by symbols?f and a f, and eval maps each node x labeled?f to the tree in T that is a prefix of eval(x). We denote by J I the fact that J is a sub-instance of I. Note that eval is uniquely determined by T and I. An important property of a subinstance is that it preserves the false patterns: If a pattern does not hold in I, then it does not hold in any of its subinstances. The next result shows how we can propagate backwards sub-instances throughout a run. Note that the lemma does not assume non-recursiveness. Lemma 3.5 Let S = (Φ int,φ ext, ) be a GAML schema, I and I instances of S such that I I, and let K I. Then there exists Pre(K) I and K I such that Pre(K) K, K K, and Pre(K) d g + (d b + 1) K, where d is the maximum depth of a tree satisfying, g is the maximum size of a guard and b the maximum size of the body of an argument or return query in S. Proof: We do a case analysis on the transition I I. Suppose first that I is obtained from I as a result of a function call!f at a node x. Let γ(f) be the call guard of f. For each pattern P occurring in γ(f) that holds in (I,x), let µ P be a matching of P into (I,x), and let G be the forest induced by all the nodes in the images of some µ P together with their ancestors. Note that the size of G is bounded by d γ(f) d g. If f is an external function, then Pre(K) consists of G together with K, with the label of x changed from?f to!f. Suppose f is an internal function. Let T be the tree in I with root r labeled a f resulting from the call. Recall that T consists of r with subtrees resulting from the evaluation of the argument query of f, Body Head on (I,x). For each tree H in Head, let c be its constructor node and H c the corresponding subtree. For each matching µ of Body into (I,x) we denote by µ(h c ) the set of nodes of I that are induced by this matching. Let M be the set of matchings µ for which µ(h c ) intersects K for some H in Head. Then the nodes of Pre(K) are those of G together with those belonging to both K and I, and those occurring in {µ(body) µ M}, together with their ancestors. Note that Pre(K) K + d γ(f) + d Body K d g + (d b + 1) K. To see that Pre(K) satisfies the other conditions of the lemma, note first that Pre(K) contains x with label!f (the same as in I) and γ(f) holds in (Pre(K),x). Thus, there exists K such that Pre(K) K and K is obtained from Pre(K) by a call to f at node x. If f is an external function, K K by construction. If f is an internal function, K is obtained from Pre(K) by evaluating arg(f) = Body Head on (Pre(K), x). Since by construction all matchings 2 A tree T is a prefix of a tree T if T is a subgraph of T and for each node x in T, all nodes on the path from x to the root in T are also in T. 12

13 of Body into (I,x) in M are also matchings in (Pre(K),x), it easily follows that K K (modulo node renaming). Since Pre(K) I and the transitions I I and Pre(K) K are the result of the same function call, it also follows that K I. Next, suppose I is obtained from I by the return of the result of a function call?f at node x. Suppose f is an external function. Then Pre(K) is the smallest sub-instance of I containing K from which the subtrees belonging to the result of the call are deleted. If f is an internal function, Pre(K) is obtained similarly to the above. In this case again, Pre(K) K + d ρ(f) + d Body K where ρ(f) is the return guard of f and Body is the body of the return query of f, so Pre(K) d g + (d b + 1) K. The proof that Pre(K) K where K K I is similar to the above. In constructing our "small" run, we will need to enforce validity of the instances with respect to. To this end, we use the notion of "completion" of an instance. Let J be a sub-instance of I. A completion J of J with respect to I and is defined as follows. Let max( ) be the maximum integer used in the specification of. First, let J be obtained by adding to J all subtrees of I rooted at nodes in J. Next, J is obtained from J as follows. For each node x of J, if x has more than max( ) children in J that are not in J and have the same label a Σ {!f f Φ int Φ ext }, retain max( ) of them and remove from J the rest (together with their subtrees). Similarly, if x in J has more than max( ) children in J that are not in J and are labeled by (possibly distinct) data values, retain max( ) of them and remove the rest from J. The following is easily seen. Note that, like Lemma 3.5, the following does not assume non-recursiveness. Lemma 3.6 Let S be a GAML schema. Suppose I is an instance of S, I =, J is a sub-instance of I, and J is a completion of J with respect to I and. Then for every instance L such that J L I, if x is a node in J, then the set of children of x in L satisfies (in particular, J = ). Furthermore, J d (a max( )) d J, where d is the maximum depth of a tree satisfying and a is the size of the alphabet of. Proof: Suppose J L I and x is a node in J. Consider the children of x in L. By construction, for each label b, the number of children of x with label b in L is either the same as in I or lies between max( ) and the number of such children in I (and similarly for nodes labeled with data values). In either case, for k max( ), b k holds in L iff it holds in I for the children of x. Since I =, it follows that is satisfied by the children of x in L. Finally, the bound on J is immediate. We are now ready to complete the proof of Proposition 3.4. Let ρ = I 0,...,I k be a valid pre-run of S satisfying ξ. We construct a valid pre-run R 0,...,R k of bounded size such that for all m [0,k], I m and R m satisfy exactly the same patterns occurring in ξ. Since I 1,...,I k satisfies ξ, so does R 1,...R k. Let P be the set of patterns occurring in ξ. For each m [0,k] and pattern P P that holds in I m, let σ P,m be one matching of P into I m, and let Match m (P) be the image of {σ P,m P P,I m = P }. The skeleton of ρ is the set of all nodes occurring on a path from root to a node labeled with a function symbol?f or a f, in some I m, 0 m k. We define by backward induction valid sub-instances J m of I m as follows. For the basis, consider m = k. Recall that I k is blocking. For each node x in I k labeled by a function call!f, and each pattern P in γ(f) that matches into (I k,x), let σ P be such a matching. Let G be set of nodes in the image of all such matchings. Let J k be the minimum sub-instance of I k that includes G, all nodes of I k that belong to the skeleton of ρ, and all nodes in Match k (P). Let J k be a completion of J k with respect to I k and. For the inductive step, let m < k. Let Pre( J m+1 ) be constructed from J m+1 as in Lemma 3.5. Next, let J m be the minimum sub-instance of I m containing Pre( J m+1 ), the nodes of I m that belong to the skeleton of ρ, and the nodes in Match m (P). Finally, let J m be a completion of J m with respect to I m and. 13

14 We next define by forward induction the desired valid pre-run R 0,...,R k, starting with R 0 = J 0. As we shall see, Jm R m I m for 0 m k and R m =. The basis (R 0 = J 0 ) is clear. Let 0 m < k and suppose R m has been defined, R m satisfies, and J m R m I m. By construction, Pre( J m+1 ) J m, so Pre( J m+1 ) R m. By Lemma 3.5, Pre( J m+1 ) K where J m+1 K I m+1. Since Pre( J m+1 ) R m I m, it follows that R m R m+1 where K R m+1 I m+1, and the transition R m R m+1 results from the same function call or result return as in I m I m+1. The transition is uniquely determined, except in the case of the return of the result of an external call. In this case, consider the forest F which is the result of the same function call in I m+1. Let R m+1 be obtained from R m by returning as answer to the external call F J m+1. In all cases, since J m+1 K, we have the desired inclusions J m+1 R m+1 I m+1. To see that R m+1 =, consider the possible transitions from R m to R m+1. Suppose R m+1 is obtained from R m by a function call to f. If f is external, is clearly satisfied. If f is internal, note that, since R m =, the only violation of in R m+1 could occur if the number of trees in the answer to the argument query of the call on R m is disallowed by under root a f. However, this cannot happen by Lemma 3.6, since J m+1 R m+1 and the root belongs to J m+1. Now suppose R m+1 is obtained from R m by the return of the result of a call to a function f. If f is internal, the argument is similar to the above (we use here the fact that the root under which the result of the function call is returned in I m+1 is part of the skeleton of ρ so belongs to J m+1 ). Suppose f is external. Recall that by construction, the answer to the external call consists of sibling subtrees of J m+1 sitting under some node x, and each tree in the answer satisfies (because I m+1 = ). R m+1 may contain additional sibling subtrees under x that are not in J m+1 because they were already in R m, and each satisfies. Since J m+1 R m+1, and x is in J m+1, the set of children of x in R m+1 also satisfies, by Lemma 3.6. Thus, R m+1 =. This completes the induction. Clearly, for each m [0,k], R m and I m satisfy exactly the same patterns in P, because J m R m I m and each P P that holds in I m also has a match in J m, so in R m. Conversely, if P does not hold in I m it cannot hold in R m. Finally, R k is blocking because I k is blocking and R k and I k satisfy exactly the same patterns occurring in the call guards. We now provide a bound for the pre-run R 0,...,R k. We denote by s the size of S and by l the size of ξ. Recall that d is the depth of all trees that are valid for and that d s. Recall also that g is the maximum size for a guard and that g s. >From the above it follows that: k is exponential in s (Proposition 3.3). The skeleton sk(ρ) of ρ = I 0,...,I k is bounded by k d 2 k. To see this notice that a run of length k can call at most k functions. Hence an instance of this run has at most k nodes labeled a f and k nodes labeled?f. Each such node has at most d ancestors and there are k instances. Hence sk(ρ) = O(s k 2 ). The size of J k is bounded by sk(ρ) + d g 2 k + d ξ. The term d g 2 k bounds the size of G (we need to consider a most 2 k guards) and d ξ bounds the size of Match k (P). Thus, J k = O(s 2 l k 2 ). By Lemma 3.6, J = O(s 2s+1 J ), so J k = O(k 2 l s 2s+3) ). Consider J m for m < k. By construction, J m Pre(J m+1 ) + sk(ρ) + Match m (P). By Lemma 3.5, Pre(J m+1 ) = O(s 2 J m+1 ). Also, sk(ρ) = O(s k 2 ) ( see above) and Match m (P) = O(s l). It follows that J m = O(s 2s+1 (s 2 J m+1 + s k 2 + s l)) = O(k 2 l s 2s+3 J m+1 ). 14

15 From the above, it follows that J 0 = O((k 2 l s 2s+3 ) k J k ) = O((k 2 l s 2s+3 ) k k 2 l s 2s+3 ) = O(k 2k+1 l k+1 s (2s+3)(k+1) ). Thus, J0 is doubly exponential with respect to S and ξ. Now consider the pre-run R 0,...,R k. At each transition R m R m+1, the instance R m can increase by at most J 0 v h, where v is the maximum number of variables in the head of a query of S, and h is the maximum size of a query head. Recall that by construction, the result of an external call is bounded by the maximum size of J m, m [0,k], to which the bound established above for J 0 applies. Thus, each R m remains doubly exponential in S and ξ. This completes the proof of Proposition 3.4. We are now ready to show the desired upper bound. Proposition 3.7 It is decidable in CO-2NEPTIME, given a recursion-free GAML schema S and a Tree- LTL sentence ϕ, whether each valid run of S satisfies ϕ. Proof: Let S = (Φ int,φ ext, ) be a recursion-free GAML schema and ϕ a Tree-LTL sentence of the form ψ( ). In view of Propositions , a 2NEPTIME decision procedure for checking whether S = ϕ is the following: 1. Guess D D with as many elements as variables in, and a valuation h of into D ; 2. Construct the formula ξ = ψ(h( )), where ψ(h( )) is obtained from ψ by replacing, for each pattern in ψ for which is a free variable, the label by h( ); 3. Guess a valid initial instance R 0 of S, of size doubly exponential in S and ξ. 4. Generate non-deterministically a valid pre-run R 0,...,R k of S; in the case of external function calls, guess an arbitrary answer of size at most doubly exponential in S and ξ. A blocking instance R k is guaranteed to be reached after a number of transitions exponential in S. 5. Check that R 0,...,R k satisfies ξ. Note that (5) remains in 2NEPTIME by Proposition Lower bound We next establish the lower bound for verification of recursion-free GAML systems. Proposition 3.8 It is CO-2NEPTIME-hard to check whether a recursion-free GAML schema satisfies a Tree-LTL sentence. Proof: We prove a stronger version of the theorem, in which the Tree-LTL sentence is the fixed sentence false, and S is constructed so that the call and return guards of all functions are true. (By slight abuse, we say in this case that S has no call guards.) Thus, the necessary control is achieved exclusively using the DTD and data constraints. This will be useful in proving other lower bounds in the paper. Let M be a non-deterministic Turing Machine running in time 2 2n on inputs of size n. Let w be a string of length n. We construct a a recursion-free GAML service S such that M accepts w iff S violates false. Note that S violates false iff S has some valid run. We next describe the encoding of a computation of M in the initial instance of S. A computation of M on input w of length n consists of 2 2n successive configurations, each of which is a sequence of symbols of 15